1 Answer
1

Active Directory security groups are a logical choice as you would only need to remove the user's membership from the groups to stop their access and vice versa -- add them to the groups to grant them access.

However, you cannot nest AD groups (that is, you can't have groups within groups) so for this to work you need to have all the users in a group which could mean you'll have lots of groups and users may be members of lots of groups as well.

Unfortunately not an option in this case
–
ElvisLikeBearDec 13 '12 at 4:04

May I ask what sort of constraints you have that would prevent using this model?
–
shuflerDec 13 '12 at 16:13

One business unit manages the environment, another the active directory network. The one that manages the environment is only site collection administrators.
–
ElvisLikeBearDec 13 '12 at 23:02

OK, I understand there is a separation of duties, but can the SharePoint administrators provide the AD administrators with a list of groups and users to set up in AD? To be fair, you would require this with nested groups as well (unless the groups already exist)
–
shuflerDec 14 '12 at 1:28

In theory - but unfortunately it's big business and communication between the teams is poor at best, unworkable at worst. It's far more feasible in this scenario to manage this from role groups
–
ElvisLikeBearDec 14 '12 at 3:33